<div dir="ltr">Hi<div><br></div><div>Any other suggestions?</div><div><br></div><div>Thanks!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 8:58 PM, Dharmendra Parakh <span dir="ltr"><<a href="mailto:dharmendra@confluxsys.com" target="_blank">dharmendra@confluxsys.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Ivan<div><br></div><div>I tried both the setups but no luck. Still the group is getting created in AD but midpoint is not storing the shadow.</div><div><br></div><div><br></div><div>Thanks!</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 6:39 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Dharmendra,<br>
<br>
can you please try with this:<br>
<br>
...<br>
<connectorConfiguration><br>
<b> <icfc:resultsHandlerConfiguration></b><b><br>
</b><b>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler></b><b><br>
</b><b>
</icfc:resultsHandlerConfiguration></b><b><br>
</b><br>
<!-- Configuration specific for the Active Directory
connector --><br>
<icfc:configurationProperties<br>
...<br>
<br>
Alternatively:<br>
<br>
<icfc:resultsHandlerConfiguration><br>
<icfc:enableFilteredResultsHandler><b>true</b></icfc:enableFilteredResultsHandler><br>
<icfc:enableCaseInsensitiveFilter><b>true</b></icfc:enableCaseInsensitiveFilter><br>
</icfc:resultsHandlerConfiguration><br>
<br>
But please start with the <b>first</b> setup. The first config will
switch off the result handler filtering in ICF; the second will let
it turned on, but switch to case insensitive...<br>
<br>
Please let us know. Thanks you.<br>
<br>
Regards,<br>
Ivan<div><div><br>
<br>
<div>On 03/05/2015 12:08 PM, Dharmendra
Parakh wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>I could not find the shadow in midpoint's repository page
(xml). I think probably this is the problem that midpoint did
not store the shadow somehow.</div>
<div><br>
</div>
<div>No attribute of this resource is dependent on user/role
attributes, user is going to enter the value.</div>
<div><br>
</div>
<div>Thanks</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 5, 2015 at 3:53 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Dharmendra,<br>
<br>
so far I can't see any reason for not working, especially
if it works in LDAP.<br>
<br>
Can you please check this:<br>
<br>
- open your user in midPoint's repository pages (XML)<br>
- check the oid of the Shadow in linkRef<br>
- open the shadow in midPoint's repository pages (XML)<br>
- check the attributes attributes/icfs:name and
attributes/icfs:uid - they should be at the bottom of the
object. Are this ok?<br>
<br>
midPoint seems to be unable to find the object - as this
is AD, it should be located by the GUID (icfs:uid).<br>
I have a strange feeling that this is related to string
case.<br>
<br>
BTW. I don't see any outbounds to generate icfs:name for
that group; is this done in the role(s)? Does the name
somehow depend on user attributes?<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 03/05/2015 10:38 AM, Dharmendra Parakh wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>Thanks for all the information.</div>
<div><br>
</div>
<div>My requirement is just to create a AD group
on the target and at this point I do not want to
assign this group to any user. So basically we
want to use this resource for group creation
purpose only.</div>
<div><br>
</div>
<div>I am well aware of the way you have described
for group creation as entitlement (I have tried
that and it works) but we want to avoid the
multiple steps involved in entitlement creation
and also we want to create this under a
user/role as an assignment/account only because
group management becomes easy for us this way.
As i have mentioned we are doing the same in
case of ldap resource and that is working for
us. I cannot think of any reason why midpoint
will behave differently for ad and ldap.</div>
<div><br>
</div>
<div>AFAIK for connector group is just an object
class like account so i think it should work
logically. I think i am missing something or i
have some issue in resource. I will appreciate
any help on this.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 5, 2015 at
2:39 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi
Dharmendra,<br>
<br>
I'm not sure if I understand what you try to
achieve.<br>
<br>
Do you want to create AD group for given
user in midPoint? Or do you want to create
the group through midPoint and then assign
to user?<br>
<br>
I would definitely not change the default
object class for "account" to
CustomGroupObjectClass. Just use kinds and
intents in schema handling.<br>
<br>
In my project I have the following setup: I
want to create users in midPoint, accounts
for them in AD. I also want to create groups
(and other objects) in AD that belong to
organizations in midPoint (part of org.
structure replication). And I also want to
put AD accounts to these groups. The
simplified example follows:<br>
<br>
1. in resource, I define new
kind=entitlement and
intent=group-municipality, e.g.:<br>
<objectType><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<displayName>Municipality
groups</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>CustomGroupObjectClass</b></objectClass><br>
<attribute><br>
. . .<br>
<br>
This means that I'm able to reference groups
of this "type" (I have several different
types of groups) as kind=entitlement and
intent=group-municipality.<br>
<br>
2. in resource, I define association for <b>accounts</b>
with this kind of groups:<br>
<objectType><br>
<kind><b>account</b></kind><br>
<intent><b>default</b></intent><br>
<displayName>Default Account -
Municipality users</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>AccountObjectClass</b></objectClass><br>
. . .<br>
<association><br>
<ref>ri:adGroups</ref><br>
<tolerant>true</tolerant><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>icfs:name</valueAttribute><br>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity><br>
</association><br>
</objectType><br>
<br>
This means midPoint is able to associate AD
accounts with this type of groups and will
show the "Association" part in GUI when
editing user - list of groups for that
account.<br>
<br>
3. to <b>assign AD account to any existing
AD group</b> (EmailAllUsers in this
example), I have a role in midPoint:<br>
<br>
<role xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a><br>
xmlns:q=<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
oid="b4b5059a-5cdc-4a2c-a184-bb6e0c67e064"><br>
<name>E-Mail</name><br>
<inducement><br>
<construction><br>
<!-- The c: prefix in
type must be there due to a JAXB bug --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<association><br>
<ref>ri:adGroups</ref><br>
<outbound><br>
<strength>strong</strength><br>
<expression><br>
<associationTargetSearch><br>
<filter><br>
<q:equal><br>
<q:path><br>
declare namespace icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a>;<br>
declare namespace ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>;<br>
attributes/ri:samAccountName<br>
</q:path><br>
<expression><br>
<script><br>
<code><br>
return '<b>EmailAllUsers</b>' <!--
group's sAMAccountName in AD --><br>
</code><br>
</script><br>
</expression><br>
</q:equal><br>
</filter><br>
<searchOnResource>true</searchOnResource><br>
</associationTargetSearch><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
</role><br>
<br>
If this role is assigned to user in
midPoint, it will create AD account (if it
does not exist yet) it will search for a
group named "EmailAllUsers" (by
sAMAccountName) and add user to that group
if such group exists.<br>
<br>
4. if you want to <b>create groups</b> in
AD from midPoint, they must be regarded as a
projection of either User, Organization or
Role in midPoint. In my scenario, for some
Organization I create the type of groups I
referred to above by assignin a role to an <b>organization</b>,
e.g.:<br>
<br>
<role
oid="00000000-0000-0000-0004-000000000010"<br>
xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a>><br>
<name>Meta-role for organizational
structure replication to AD</name><br>
<inducement><br>
<construction><br>
<!-- AD resource --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<b>
<kind>entitlement</kind></b><b><br>
</b><b>
<intent>group-municipality</intent></b><br>
</construction><br>
</inducement><br>
...<br>
</role><br>
<br>
This means that midPoint will create a group
of that type for the organization in
midPoint. Of course, in schemaHandling for
AD resource, in the kind=entitlement and
intent=group-municipality part, you have to
define proper outbound mappings (icfs:name =
DN; sAMAccountName and possibly other
attributes) to actually create the group.<br>
<br>
And that's all, so simple.<br>
<br>
Some examples can be also seen in our
OrgSync scenario wiki page: <a href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test" target="_blank">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a>
(it is different scenario as I've described
in my example, but it's very usable for
concept understanding).<br>
<br>
Hope this helps.<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 03/05/2015 09:44 AM, Dharmendra
Parakh wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi
<div><br>
</div>
<div>I have been playing around with
AD Connector and i am facing an
issue where i was trying to create
an AD group using the AD
Connector.</div>
<div><br>
</div>
<div>I have a resource configured
where the default object class is
my AD Group object class and kind
is set to account.</div>
<div>When i try to create the group
by creating a account of this
resource i see the<b> group is
created on Active Directory</b>
but same does not show up in the
midpoint UI under User's accounts
panel.<br>
</div>
<div><br>
</div>
<div>I can see the linkRef in user's
xml but it is not getting loaded
in UI and also when i open the
user xml i see an error: </div>
<div><br>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>
<div><font size="1" color="#000000">[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257
@ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font size="1" color="#000000">com.evolveum.midpoint.util.exception.ObjectNotFoundException:
Object not found.
identifiers=[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257
@ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font size="1" color="#000000"><span style="white-space:pre-wrap">
</span>at
com.evolveum.midpoint.provisioning.consistency.impl.ObjectNotFoundHandler.handleError(ObjectNotFoundHandler.java:268)
~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
<div>
<div><font size="1" color="#000000"><span style="white-space:pre-wrap">
</span>at
com.evolveum.midpoint.provisioning.impl.ShadowCache.handleError(ShadowCache.java:683)
~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>We have similar setup for ldap
group provisioning and that works
very fine.</div>
<div><br>
</div>
<div>I have attached my resource xml
with the email, please have a look
and let me know if i am doing
anything wrong here.</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint-dev mailing list<br>
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>